Cardholder Data: At a minimum, cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN
plus any of the following: cardholder name, expiration date and/or
service code See Sensitive Authentication Data for additional data
elements that may be transmitted or processed (but not stored) as part
of a payment transaction.

I have a hard time connecting both in the context of the SAQ-A. Apparently we could have received paper receipts from the payment processor (to which payments are outsourced) and that would have been fine provided they are stored correctly (per the requirements of PCI-DSS SAQ-A).

How are these receipts different from the "feedback" we will receive electronically? This "feedback" will hold some data like a name, a payment amount, a date.

In other words: would a paper receipt contain the PAN? If no, how is that different from the electronic acknowledgement the merchant gets from the processor (right after a successful payment, or later in the form of a summary of transactions)

What I understand you to be asking...well, before we get to that let me make sure: In the electronic responses/documentation you're getting from the payment processor you are not seeing any full PANs, correct? (In non-jargon: none of the electronic feedback you're getting back has full 16-digit card numbers of customers in it, does it?)
– mostlyinformedOct 12 '15 at 20:20

No, the PAN is not something we will get back. We will get some info about the customer, how much he played, when, etc. I do not understand how this is different from a paper receipt
– WoJOct 12 '15 at 20:22

I see. So, about the paper stuff you're getting back from the process or, does it full PANs in it? Or is your question really more general, along the lines of "Why are paper documentation and electronic documentation treated differently"?
– mostlyinformedOct 12 '15 at 20:44

We will not be getting any paper, only electronic data. And yes, your summary is indeed at the heart of my question. It could also be : what kind of information CAN we get to stay within SAQ-A?
– WoJOct 12 '15 at 20:51

Re. the paper vs. electronic question, see my answer below. Re. the question of what you can get back from your processor that's ok, getting a "masked" card number of a customer back is fine (you are probably most familiar with the kind where the first 12 digits of the number are redacted and only the 4 on the end visible, although technically it's ok to include two digits that are included at an earlier place in the number as well), the expiration date (something I personally think shouldn't be allowed, but the rules say it's fine to keep unencrypted), customer's name, their address...
– mostlyinformedOct 12 '15 at 21:44

1 Answer
1

From the comments it appears that your question is essentially this: Why is paper documentation of a transaction treated differently than electronic replies or documentation from a transaction, at least in terms of those documents containing full, unencrypted PANs? (Meaning full, unmasked credit and debit card numbers.)

Well, my first response is simply this: ideally merchants shouldn't keep materials with full PANs on/in them, even in paper form . Although the PCI Requirements that apply to SAQ-A merchants do not prohibit having cleartext card numbers visible on paper documentation, they do impose requirements that you need to pay attention to in terms or the creation, storage, handling, use, and destruction of such paper documents. For more complete information on those requirements see "Can we print cardholder data under the PCI DSS Compliance framework and stay compliant?" But the bottom line is that creating, storing, or even just receiving printed materials with full PAN data in them at best creates more compliance and security headaches for you, and at worst, of course, increases the risk that card data will be compromised. Thus, unless you really, really have a special, unavoidable need to receive and temporarily store card numbers on paper from your processor (and frankly my mind is blanking on thinking up any scenario where that would be true) the best way forward is simply not to receive or store them at all. And frankly if you're dealing with a payment processor who is sending you paper material with full PANs in it without an exceptionally good reason I would firmly advise that you to take another good look at whether you want to stick with that processor.

Secondly, if we're pondering the question of why you might be allowed to store clear-text card numbers on paper at all when you are forbidden from doing so electronically, well the answer to that is straight-forward enough: the Internet is a dangerous place, and any machine connected to it is exposed to that danger. Any machine or network that psyically has an electronic connection is exposed, in (in theory) to electronic attack from any of the more that two billion people who now have some kind of access to it, from every corner of the world. Tireless automated scanning tools or human attackers checking the security of every merchant that they're aware of the existence of can check the router that ties your small network to the Internet for security configuration problems. Problems that can allow and attacker to access everything on your network as if he or she was physically in your building/s and plugging in with an Ethernet cable or connecting to your wifi. Automated phishing campaigns bombard hundreds of thousands or millions of users with emails containing links that lead to websites serving malware or come with attached files that are infected with it. In either case, an attacker again gains access to your internal network or, worse, is able to get a copy of any card numbers that are entered in to an infected machine or even any card numbers that ever come into its memory, even for a few seconds.

By contrast, paper documents are simply not as exposed to bad guys to the same degree and in the same way. Only people who know that you keep the data and where can deliberately try to steal it, a far different situation--though still a concerning one-- than a situation where PANs are kept as electronic information on a device that can interact with a network that two billion people. (And lots of electronic scans running on it from bad actors, hunting for weakly defended systems and improperly-secured financial data on them.) That being said, as discussed above the better practice, by far, is not to store any unencrypted card numbers anywhere in your operations, whether in electronic or paper form.